Syncloud Game Hub: full feature work on top of phase-0 snap skeleton

.drone.jsonnet

@@ -1,14 +1,17 @@
-local name = 'game-server';
-local go = '1.23';
+local name = 'games';
+local go = '1.25';
 local nginx = '1.24.0';
 local node = '20';
-local platform = '26.04.7';
+local platform = '26.04.10';
 local python = '3.12-slim-bookworm';
 local deployer = 'https://github.com/syncloud/store/releases/download/4/syncloud-release';
 local distros = ['bookworm', 'buster'];
 local distro_default = 'bookworm';
 local arch = 'amd64';
 
+local platform_image(distro, arch) =
+  'syncloud/platform-' + distro + '-' + arch + ':' + platform;
+
 [{
   kind: 'pipeline',
   type: 'docker',
@@ -32,20 +35,58 @@ local arch = 'amd64';
         './nginx/build.sh',
       ],
     },
+  ] + [
     {
-      name: 'nginx test',
-      image: 'syncloud/platform-' + distro_default + '-' + arch + ':' + platform,
-      commands: [
-        './nginx/test.sh',
-      ],
-    },
+      name: 'nginx test ' + distro,
+      image: platform_image(distro, arch),
+      commands: ['./nginx/test.sh'],
+    }
+    for distro in distros
+  ] + [
     {
       name: 'web',
       image: 'node:' + node,
       commands: [
         './web/build.sh',
       ],
     },
+    {
+      name: 'catalog',
+      image: 'golang:' + go,
+      commands: [
+        './catalog/build.sh',
+      ],
+    },
+    {
+      name: 'jre',
+      image: 'debian:bookworm-slim',
+      commands: [
+        './jre/build.sh',
+      ],
+    },
+  ] + [
+    {
+      name: 'jre test ' + distro,
+      image: platform_image(distro, arch),
+      commands: ['./jre/test.sh'],
+    }
+    for distro in distros
+  ] + [
+    {
+      name: 'steamcmd',
+      image: 'debian:bookworm-slim',
+      commands: [
+        './steamcmd/build.sh',
+      ],
+    },
+  ] + [
+    {
+      name: 'steamcmd test ' + distro,
+      image: platform_image(distro, arch),
+      commands: ['./steamcmd/test.sh'],
+    }
+    for distro in distros
+  ] + [
     {
       name: 'backend',
       image: 'golang:' + go,
@@ -57,15 +98,17 @@ local arch = 'amd64';
       name: 'cli',
       image: 'golang:' + go,
       commands: [
-        'cd cli',
-        'mkdir -p ../build/snap/meta/hooks',
-        'CGO_ENABLED=0 go build -buildvcs=false -o ../build/snap/meta/hooks/install ./cmd/install',
-        'CGO_ENABLED=0 go build -buildvcs=false -o ../build/snap/meta/hooks/configure ./cmd/configure',
-        'CGO_ENABLED=0 go build -buildvcs=false -o ../build/snap/meta/hooks/pre-refresh ./cmd/pre-refresh',
-        'CGO_ENABLED=0 go build -buildvcs=false -o ../build/snap/meta/hooks/post-refresh ./cmd/post-refresh',
-        'CGO_ENABLED=0 go build -buildvcs=false -o ../build/snap/bin/cli ./cmd/cli',
+        './cli/build.sh',
       ],
     },
+  ] + [
+    {
+      name: 'cli test ' + distro,
+      image: platform_image(distro, arch),
+      commands: ['./cli/test.sh'],
+    }
+    for distro in distros
+  ] + [
     {
       name: 'package',
       image: 'debian:bookworm-slim',
@@ -76,20 +119,32 @@ local arch = 'amd64';
     },
   ] + [
     {
-      name: 'test ' + distro,
+      name: 'test ' + distro_default,
       image: 'python:' + python,
       commands: [
-        'DOMAIN="' + distro + '.com"',
-        'APP_DOMAIN="' + name + '.' + distro + '.com"',
+        'DOMAIN="' + distro_default + '.com"',
+        'APP_DOMAIN="' + name + '.' + distro_default + '.com"',
         'getent hosts $APP_DOMAIN | sed "s/$APP_DOMAIN/auth.$DOMAIN/g" | tee -a /etc/hosts',
         'cat /etc/hosts',
         'APP_ARCHIVE_PATH=$(realpath $(cat package.name))',
         'cd test',
         './deps.sh',
-        'py.test -x -s test.py --distro=' + distro + ' --app-archive-path=$APP_ARCHIVE_PATH --app=' + name + ' --arch=' + arch,
+        'py.test -x -s test.py --distro=' + distro_default + ' --app-archive-path=$APP_ARCHIVE_PATH --app=' + name + ' --arch=' + arch,
+      ],
+    },
+  ] + [
+    {
+      name: 'test-ui-' + projectName,
+      image: 'mcr.microsoft.com/playwright:v1.59.1-jammy',
+      commands: [
+        'DOMAIN="' + distro_default + '.com"',
+        'APP_DOMAIN="' + name + '.' + distro_default + '.com"',
+        'getent hosts $APP_DOMAIN | sed "s/$APP_DOMAIN/auth.$DOMAIN/g" | tee -a /etc/hosts',
+        'cat /etc/hosts',
+        'PLAYWRIGHT_DOMAIN=' + distro_default + '.com ./ci/ui.sh ' + projectName,
       ],
     }
-    for distro in distros
+    for projectName in ['desktop', 'mobile']
   ] + [
     {
       name: 'upload',
@@ -150,19 +205,18 @@ local arch = 'amd64';
     },
   ],
   trigger: {
-    event: ['push', 'pull_request'],
+    event: ['push'],
   },
   services: [
     {
-      name: name + '.' + distro + '.com',
-      image: 'syncloud/platform-' + distro + '-' + arch + ':' + platform,
+      name: name + '.' + distro_default + '.com',
+      image: platform_image(distro_default, arch),
       privileged: true,
       volumes: [
         { name: 'dbus', path: '/var/run/dbus' },
         { name: 'dev', path: '/dev' },
       ],
-    }
-    for distro in distros
+    },
   ],
   volumes: [
     { name: 'dbus', host: { path: '/var/run/dbus' } },

.gitignore

@@ -5,3 +5,7 @@ node_modules/
 web/dist/
 *.snap
 .idea/
+catalog/work/
+# backend/catalog/catalog.json is committed as a stub so 'go build' works
+# locally without running catalog/build.sh; CI regenerates it.
+.claude/

CLAUDE.md

@@ -0,0 +1,135 @@
+# CI
+
+http://ci.syncloud.org:8080/syncloud/games (via 192.168.1.101:8080).
+
+Check builds via API:
+```
+curl -s "http://192.168.1.101:8080/api/repos/syncloud/games/builds?limit=5"
+```
+
+Check which step failed:
+```
+curl -s "http://192.168.1.101:8080/api/repos/syncloud/games/builds/{n}" | python3 -c "import json,sys; d=json.load(sys.stdin); [print(s['name'], s['status']) for st in d['stages'] for s in st['steps']]"
+```
+
+Tail a specific step (stage_number/step_number, both 1-indexed):
+```
+curl -s "http://192.168.1.101:8080/api/repos/syncloud/games/builds/{n}/logs/1/{step}" | python3 -c "import json,sys; [print(l.get('out','').rstrip()) for l in json.load(sys.stdin)]"
+```
+
+Artifacts at `http://ci.syncloud.org:8081/files/games/{build}-amd64/`.
+
+# Status
+
+WIP on `wip` branch. Issue: syncloud/platform#35.
+
+Last green: build #26 (lib64 bundle landed), build #27 has steamcmd diagnostics.
+
+Phases shipped:
+- 0: snap skeleton, stub catalog API, store-styled Vue UI
+- 1: server CRUD + SQLite (modernc.org/sqlite)
+- 2: process management (start/stop/restart, SIGTERM+10s+SIGKILL, process-group)
+- 3: SteamCMD vendor (amd64 only — 32-bit binary, anonymous + user/pass logins)
+- 3c: amd64 lib bundle for 64-bit games (CS2/Valheim/Rust/Factorio) — snap is now host-lib-independent for both archs
+- 4: Pelican egg consumer (best-effort non-docker, parses parkervcp/eggs format)
+- 4b: real Teeworlds install + start + UDP-bound probe — proves the integration test really plays a game in CI
+- 5: in-memory ring-buffer log endpoint (500 lines / server)
+- 6: A2S_INFO Source-engine UDP server query (with challenge handshake)
+- 7: OIDC client registration via `platformClient.RegisterOIDCClient`
+- 8: Playwright e2e (desktop + mobile)
+- 9: docs
+- 16: mobile bottom-bar nav
+- 17: minecraft real install (Pelican egg + bundled JRE)
+- 18: real OIDC code+PKCE flow + backend session middleware; nginx forward-auth dropped
+- 19: full minecraft cycle (install → EULA → start → tcp-bind), SVG icons extracted to assets, dead authelia templates removed
+
+In progress / open:
+- 3b: real HLDS (CS 1.6, appid 90, 250MB) install via SteamCMD — xfailed.
+  steamcmd bootstrap fails with "Steam needs to be online to update" + empty
+  Steam/logs/. lib32 + writable runtime dir aren't enough. Diagnostics added
+  in test_steamcmd_diagnostics — read CI build log to root-cause.
+
+# Architecture
+
+- `cli/` — Go cobra: install / configure / pre-refresh / post-refresh / cli (storage-change, access-change, backup-pre-stop, restore-pre-start, restore-post-start)
+- `backend/` — Go HTTP server on `unix:/var/snap/games/current/backend.sock`
+  - `db/` — SQLite open + schema
+  - `server/` — Store with CRUD on servers
+  - `runner/` — exec.Cmd-based process management with ring-buffer log capture
+  - `installer/` — SteamCMD + Pelican egg install logic
+  - `query/` — A2S_INFO UDP query
+- `web/` — Vue 3 + Vite. Plain CSS theme cribbed from `../store/web` (light/dark, no Element Plus). `web/e2e/` is a self-contained Playwright TS package.
+- `config/` — `nginx.conf` (no auth_request — backend session middleware enforces) + `proxy.conf`. `{{ .AuthUrl }}` rendered by `config.Generate`.
+- `nginx/` — vendored nginx (build.sh copies the entire FS from the nginx docker image)
+- `steamcmd/` — `build.sh` downloads steamcmd_linux.tar.gz
+- `test/` — pytest integration tests using `syncloud-lib`
+
+# Constraints
+
+- **amd64 only.** `.drone.jsonnet` lists only amd64. SteamCMD ships x86_64.
+- **SteamCMD is 32-bit i386.** Snap will need 32-bit glibc bundled — first SteamCMD-based test installs may fail until that's added. Tracked as a follow-up.
+- **Pelican eggs that need Docker won't work.** Backend runs install scripts directly. Best-effort for bash/native eggs (Teeworlds, Minetest work).
+- **Auth = OIDC code+PKCE against Authelia + signed session cookie.** Backend's `auth.Middleware` checks the cookie on every `/api/*` request on the HTTP socket; nginx no longer does `auth_request`. Integration tests use a separate `cli.sock` (file-mode 0660, no auth middleware) reached via `/snap/bin/games.cli`.
+- **Backend ↔ Authelia goes over `authelia.socket`, not HTTPS.** Discovery / token / JWKS requests dial `/var/snap/platform/current/authelia.socket` (path from `golib`'s `GetAuthLocalSocket()`, stored as `authSocket` in `oidc.json`). A RoundTripper rewrites the public `https://` URLs from the discovery doc to `http://` before dialing. The browser redirect (`AuthCodeURL`) still uses the public HTTPS URL because the browser can't dial a unix socket. No syncloud-CA trust needed in the snap as a result.
+
+# Integration test fixture
+
+Use **teeworlds** for any test that needs a real install — smallest server in parkervcp/eggs (~10MB binary, headless, A2S-queryable). Egg: `https://raw.githubusercontent.com/parkervcp/eggs/master/game_eggs/teeworlds/egg-teeworlds.json`. Anonymous-friendly Steam apps (cs2, tf2, gmod, valheim, zomboid, ark) work for Steam-path tests.
+
+# Storage layout (on device)
+
+```
+/snap/games/current/                # read-only squashfs
+  steamcmd/                               # bundled steamcmd_linux.tar.gz contents
+    linux32/steamcmd                      # i386 bootstrap binary
+    steamcmd.sh, steam.sh                 # original wrapper (unused)
+    lib32/                                # ~40MB. i386 base runtime:
+                                          #   ld-linux.so.2
+                                          #   libc.so.6, libstdc++.so.6, libgcc_s.so.1
+                                          #   libcurl.so.4, libssl.so.3, libsdl2, libgl1, ...
+    lib64/                                # ~25MB. amd64 base runtime:
+                                          #   ld-linux-x86-64.so.2
+                                          #   same lib set, amd64 variants
+  web/dist/                               # Vue SPA build
+  nginx/                                  # vendored nginx (etc/, opt/, usr/, lib/)
+  bin/
+    cli                                   # Go cobra hooks binary
+    backend                               # Go HTTP backend (static)
+    service.backend.sh, service.nginx.sh  # systemd wrappers
+    steamcmd.sh                           # wrapper that invokes linux32/steamcmd
+                                          #   via lib32/ld-linux.so.2 + lib32
+
+/var/snap/games/current/            # writable, $SNAP_DATA
+  database.db                             # SQLite catalog of installed servers
+  backend.sock                            # nginx -> backend
+  servers/<name>/                         # per-server install (game files)
+  config/                                 # rendered Authelia includes
+  oidc.secret                             # OIDC client_secret
+  nginx/                                  # nginx state (temp_path etc.)
+  .steam-home/                            # steamcmd's $HOME — Steam/logs/, .steam/
+  .steam-runtime/                         # steamcmd's writable copy
+                                          # (linux32 + public + package + steamcmd.sh)
+
+/var/snap/games/common/             # shared across revisions, $SNAP_COMMON
+  web.socket                              # platform -> nginx (PLATFORM CONTRACT)
+  installed                               # marker file
+```
+
+`web.socket` must stay at `$SNAP_COMMON/web.socket` (platform contract). Everything else under `$SNAP_DATA` so refresh rollback works.
+
+# Game launch wrappers
+
+`installer.steamStartCmd` builds the startCmd for each Steam game using two helpers in `backend/installer/installer.go`:
+
+- `wrapI386(binary, extraPaths, args)` — for HLDS, TF2, GMod (32-bit SrcDS):
+  ```
+  LD_LIBRARY_PATH=lib32[:extra] lib32/ld-linux.so.2 --library-path lib32[:extra] $bin $args
+  ```
+- `wrapAmd64(binary, extraPaths, args)` — for CS2, Valheim, Rust (64-bit native):
+  ```
+  LD_LIBRARY_PATH=lib64[:extra] lib64/ld-linux-x86-64.so.2 --library-path lib64[:extra] $bin $args
+  ```
+
+`extraPaths` typically includes `$installDir` and `$installDir/<mod>` so game-private engine libs (`libtier0_s.so`, `libsteam_api.so`, etc.) resolve.
+
+This pattern means the snap never depends on host glibc/libstdc++/libGL state — same snap should run on any Linux host the platform supports.

README.md

@@ -1,4 +1,4 @@
-# game-server
+# games
 
 Syncloud app: dedicated game server panel.
 
@@ -13,7 +13,7 @@ See commits on `wip` for the phased build-out (server CRUD → process managemen
 ## Architecture
 
 - `cli/` — Go install/configure/access-change/storage-change/backup hooks (cobra).
-- `backend/` — Go HTTP backend on `unix:/var/snap/game-server/current/backend.sock`.
+- `backend/` — Go HTTP backend on `unix:/var/snap/games/current/backend.sock`.
 - `web/` — Vue 3 + Vite SPA, store-styled (`../store/web` look). Plain CSS, no Element Plus.
 - `config/` — nginx + authelia templates rendered at configure time.
 - `nginx/` — vendored static nginx.

backend/.gitignore

@@ -0,0 +1 @@
+/backend